Tag Archives: data privacy

Something that is being spoken about more and more (due to the unfortunate higher frequency) is insider threat. It’s in the news an awful lot more than it ever used to be.

Do you remember the auditor of Morrisons who released a spreadsheet detailing just shy of 100,000 members of staff’s (very) personal details? He did end up getting jailed for 8 years but I heard a saying recently, it’s not a digital footprint you leave it’s more of a digital tattoo. Even two years after the incident Morrisons is still suffering the effects.

Now obviously that was what you would call a malicious breach. It does unfortunately happen, but there are ways for you to protect your company against this. Firstly we here at Data Compliant believe that if you have detailed joiner processes in place (i.e. thorough screening and references and criminal checks where appropriate), ongoing appraisals with staff and good leaver processes you can minimise your risk.

Other ways of insider breaches occurring, and much more likely in my opinion, are negligence, carelessness and genuine accidents. Did you know that over 50% of data breaches are cause by staff error? This may be because staff do not follow company procedures correctly and open up pathways for hackers. Or it could be that your staff are tricked into handing over information that they shouldn’t.

Your staff could be your company’s weakest point in relation to protecting it’s personal and confidential data. But you can take simple steps to minimise this risk by training your staff in data protection.

Online training has some big advantages for businesses, it’s a quick, efficient and relatively inexpensive way of training large numbers of employees while “taking them out of the business” for the least possible time.

The risk of breaches isn’t just your business’ reputation, or even a hefty fine from the ICO but as mentioned before, also a criminal conviction. Now that is a lot to risk.

Talks on ensuring a high level of data protection across the EU Marketers are now complete and draft text was agreed on Wednesday 16th December 2015. Marketers are delighted with the “strong compromise” agreed by Parliament and Council negotiators in their last round of talks.

The draft regulation aims to give individuals control over their private data, while also creating clarity and legal certainty for businesses to spur competition in the digital market. Back in September Angela Merkel appealed to the European parliament to take a business view rather than simply look at the Regulation from a data protection perspective lest the legislation hold back economic growth in Europe. At the same time she described data as the “raw material” of the future and expressed her belief that it is fundamental to the digital single market.

The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned.

EU DPA Regulation – 7 Key Changes

4% Fines: The Council had called for fines of up to two percent of global turnover, while the Parliament’s version would have increased that to five percent. In apparent compromise, the figure has been set at four percent, which for global companies could amount to millions.

Data Protection Officers (DPOs): Companies will have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers. These do not have to be internal or full-time.

Consent: to marketers’ relief, consent will now have to be ‘unambiguous’ rather than the originally proposed ‘explicit’ which provides a more business-friendly approach to the legislation. In essence this means that direct mail and telephone marketing can still be conducted on an opt-out basis. Nonetheless, businesses will be obliged to ensure that consumers will have to give their consent by a clear and affirmative action to the use of their data for a specific purpose.

Definition of Personal Data – the definition has been expanded in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Online identifiers -whether cookies and ISPs are personal data has been the subject of discussion for some months. James Milligan of the DMA has expressed the view that a compromise has been reached “Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data. This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.”

Profiling – Profiling has now been included under the term ‘automated decision making’. Individuals have the right not to be subject to the results of automated decision making, so they can opt out of profiling. It will be necessary to implement tick-boxes or similar mechanisms to secure the data subject’s positive indication of consent to specific processing activities related to Profiling.

Parental consent – Member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.

Next Steps

The provisional agreements on the package will be put to a confirmation vote in the Civil Liberties Committee today (Thursday 17 December) at 9.30 in Strasbourg.

If the deal is approved in committee it will then be put to a vote by Parliament as whole in the new year, after which member states will have two years to transpose the provisions of the directive into their national laws. The regulation, which will apply directly in all member states, will also take effect after two years.

Written by Michelle Evans, Compliance Director at Data Compliant Ltd.

If you would like further advice on how the EU Regulation will affect your business, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk

What was Safe Harbour?

The Safe Harbour Framework was a cross border transfer mechanism which complied with EU data protection laws and allowed the transfer of personal data between the EU and the USA. More details on how Safe Harbour worked can be found here.

Why was the Safe Harbour Framework invalidated?

After the recent Facebook case ruling, on 6th October, the Court of Justice of the European Union (CJEU) judged that “US Companies do not afford an adequate level of protection of personal data” and therefore the Safe Harbour Framework is now invalid.

The CJEU indicated that US legislation authorises on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.

The CJEU further observed that the Safe Harbour Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU. You can read the European Court of Justice Press Release here.

There have been concerns about the Safe Harbour Framework for some time and the European Commission and the US authorities have been negotiating with a view to introducing an arrangement providing greater protection of privacy to replace the existing agreement.

How can I now transfer my data to US?

Organisations that have been using Safe Harbour will now have to review how they transfer personal data to the US and come up with alternative solutions. However, it is worth noting that the Information Commissioner’s Office has recognised that this process will take some time. And James Milligan at the DMA states that data already transferred to US-based companies under Safe Harbour will be unaffected.

In the meantime multi-national companies transferring data to their affiliates can look at using Binding Corporate Rules which allow the transfer of data from the EEA to be in compliance with the 8th data protection principle.

Another legal method of transferring personal data to the US is to use the Model Contract Clauses produced by the EU for transfers of personal information outside the EU.

Michelle Evans, Compliance Director at Data Compliant Ltd.

If you are planning to transfer data between the EU and the US, and would like help on how to do so in the light of this new ruling, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk

The ongoing stories in the press are hurting charities who are being seen to be treating decent people – particularly vulnerable people – monstrously unfairly. The press and media are giving consumers an ever clearer perception of the charity sector as being irresponsible, uncaring and aggressive in their treatment of donors. And it does the data industry no favours at all.

Alarming data breach statistics are shown in the latest survey from HM Government*, with costs increasing to prohibitive levels for businesses large and small.

Data Breach Costs

Think a data breach can’t happen to you? Think again …

* All stats taken from 2015 Information Security Breaches Survey commissioned by HM Government – survey conducted by PwC in association with Infosecurity Europe

Protect your data …

The protection of your company data must be of paramount importance to you, so please get in touch if you you would like to discuss the ever-changing issues surrounding data security and the steps you can take to keep your data safe. Call 01787 277742 or email victoria@datacompliant.co.uk